Author Archive - Abigail Pichel (Technical Communications)

The first Patch Tuesday of the year is relatively light, with Microsoft rolling out only four bulletins for the month. Despite the small figure, users must update their systems immediately to avoid possible threats leveraging software vulnerabilities.

Included in this month’s release are updates for three privately reported vulnerabilities found in Microsoft Office. If exploited, these vulnerabilities could allow an attacker to gain the same user rights as the current user. Such access could prove damaging, especially to those with administrative user rights.

This month’s release also addresses two vulnerabilities that deal with elevation of privilege. The last bulletin addresses an issue affecting Microsoft Dynamics AX that can allow denial of service if the vulnerability is exploited.

January 2014 marks one of the last months that Windows XP will receive patches. As previously reported, Microsoft is ending its support of this particular OS on April 2014, a good few months away. Users and enterprises should seriously consider migrating to later versions of Windows to continue receiving patches for vulnerabilities.

We recently came across a CryptoLocker variant that had one notable feature—it has propagation routines.

Analysis of the malware, detected as WORM_CRILOCK.A, shows that this malware can spread via removable drives. This update is considered significant because this routine was unheard of in other CRILOCK variants. The addition of propagation routines means that the malware can easily spread, unlike other known CRILOCK variants.

Aside from its propagation technique, the new malware bears numerous differences from known CryptoLocker variants. Rather than relying on a downloader malware—often UPATRE— to infect systems, this malware pretends to be an activator for various software such as Adobe Photoshop and Microsoft Office in peer-to-peer (P2P) file sharing sites. Uploading the malware in P2P sites allows bad guys to easily infect systems without the need to create (and send) spammed messages.

Further analysis of WORM_CRILOCK reveals that it has a stark difference compared to previous variants. The malware has foregone domain generation algorithm (DGA). Instead, its command-and-control (C&C) servers are hardcoded into the malware. Hardcoding the URLs makes it easier to detect and block the related malicious URLs. DGA, on the other hand, may allow cybercriminals to evade detection as it uses a large number of potential domains. This could mean that the malware is still in the process of being refined and improved upon. Thus, we can expect latter variants to have the DGA capability.

The differences between this particular CRILOCK variant and the others have led some researchers to believe that this malware is the product of a copycat. Regardless of its creator, WORM_CRILOCK.A shows that this could become the new favored attack method of cybercriminals.

Users should avoid using P2P sites to get copies of software. They should always download software from official and/or reputable sites. Given WORM_CRILOCK’s ability to spread via removable drives, users should also exercise caution when using flash drives and the like. Users should never connect their drives into unfamiliar or unknown machines. Our blog entry, Defending Against CryptoLocker, discusses at length additional ways of protecting a computer and a network against CryptoLocker malware.

Trend Micro uses AEGIS (behavior monitoring) to detect and block all threats related to this malware. For more information on ransomware’s background, you may visit this page. You may also refer to our FAQ page on Cryptolocker for a more comprehensive view about the malware.

We recently noticed that there has been an increase in spammed messages that use airline information as bait. These messages are made to look like notifications from airlines such as Delta Airlines, British Airways, US Airways, and American Airlines. Each message comes with an attachment—often in the form of a fake e-ticket—that recipients are supposed to open. This attachment is actually a BKDR_KULUOZ variant.

Figure 1. Screenshot of sample spam

KULUOZ variants are known to download and execute other malware, such as SIREFEF/ZACCESS and FAKEAV variants. KULUOZ variants are also evolving: we’ve even seen one variant, detected as BKDR_KULUOZ.MN, that collect system information including the antivirus installed in the affected computer. This is a routine previously unheard of from this malware family.

While we have seen KULUOZ spam in the past, there have been no significant change in numbers in the past several months. KULUOZ spam now represents nearly half of all malicious spam attachments.

Figure 2. Breakdown of spam attachments over a one-week period

Based on our investigation, this batch of BKDR_KULUOZ is distributed by the Cutwail/Pushdo botnet. Previously, we noted that the said botnet was responsible for sending out Blackhole Exploit kit (BHEK)-like spam that serve UPATRE variants.

Previous instances of KULUOZ spam used shipping and airline notifications as bait. The exclusive use of airline tickets in this new campaign could be a deliberate move, considering people frequently travel over the holidays. Victims may be more inclined to click attachments if they’re actually expecting airline tickets.

Users should remain extremely careful when opening messages. Since most messages are specially crafted to look as legitimate as possible, it’s ideal to double-check with the sender to see if an email is legitimate. Trend Micro Smart Protection Network blocks all related threats in this attack.

The last Patch Tuesday of the year features 11 bulletins, with five rated as Critical and the remaining as Important. This month’s release addresses a notable zero-day vulnerability that was used in attacks. The particular bulletin—MS13-096—was noticeably absent in last month’s Patch Tuesday. As previously reported, attackers took advantage of the vulnerability by embedding .DOC files with malicious .TIFF files to gain account privileges.

Unfortunately, another zero-day vulnerability remains unpatched. Microsoft earlier that a security fix for the escalation of privilege vulnerability (CVE-2013-5065) was not included in this month’s security releases. Thus, recommendations and workarounds suggested at that time of its discovery remain in effect. Trend Micro Deep Security has been protecting users from threats exploiting this vulnerability via the rule 1005801 – Microsoft Windows Kernel Elevation Of Privilege Vulnerability (CVE-2013-5065) since its discovery.

Users are advised to apply these security updates as soon as possible, as well as visit the Trend Micro Threat Encyclopedia page. Trend Micro Deep Security protects customers from threats via the following rules:

Spam may be seen by the public as a minor nuisance now, but this couldn’t be further from the truth. We recently encountered spam that triggers an infection chain with ZBOT malware as the end result.

The spammed message is supposed to have come from Allergan Limited, the UK arm of the global health care company Allergan, Inc. The message informs the recipient that the attachment contains information about the recipient’s medical information. This attachment is actually malicious and is detected as TROJ_ARTIEF.PI. This malware takes advantage the MSCOMCTL.OCX RCE vulnerability (CVE-2012-0158), which affects versions of Microsoft Office (specifically 2003, 2007, and 2010). This vulnerability was also targeted in other threats that we documented, including the spoofed APEC 2013 email and the EvilGrab malware found in the Asia-Pacific region.

Figure 1. Fake email from Allergan Limited

This malware drops and executes BKDR_LIFTOH.AD. This backdoor often downloads ZBOT. In this instance, the backdoor leads to the download of TSPY_ZBOT.VHP. ZBOT malware are known for stealing user login credentials, account information etc., in particular targeting online banking users.

This isn’t the only spam that employs the same attack. We spotted other spam with the same malware attachment, but with different content. Content from these emails suggests that these messages target British users.

Figures 2 and 3. Other similar spammed messages

Users should always take extra precaution when dealing with e-mail attachments; in general these should not be opened unless Email from unknown senders should be ignored or immediately deleted. Trend Micro protects users from this threat by blocking the spam messages and detecting the malware cited in this entry.

With additional insights from Eruel Ramos and Alvin Bacani

Posted in Malware, Spam | Comments Off on British Users Targeted By Health-Related ZBOT Spam